ida batch decompile: IDA Batch Decompile plugin

by do son ·

IDA Batch Decompile

IDA Batch Decompile is a plugin for Hex-Ray’s IDA Pro that adds the ability to batch decompile multiple files and their imports with additional annotations (xref, stack var size) to the pseudocode .c file

idabatchdecompile

Usage

idascript (gui mode)

  1. open target, wait for analysis to finish
  2. IDA Pro -> File/Script file... -> <this_python_script>
  3. IDA Pro -> File/Produce file-> IdaDecompileBatch ...
  4. tick Annotate StackVarSizeAnnotate Func XRefs
  5. click OK to decompile.

Note: File will be saved in target folder as <target_image_name.c>

idascript (cmdline batch mode)

<path_to_ida>/ida(w|w64)(.exe) -B -M -S”<path_to_this_script> \”–option1\” \”–option2\””, “<target>”`

Note that options need to be quoted with \"

Available options, see --help

--output                        ... output file path

--annotate-stackvar-size        ... annotate function stack variable sizes

--annotate-xrefs                ... annotate function xrefs

--imports                       ... process imports

--recursive                     ... recursive batch decompile

--experimental-decompile-cgraph ... experimental: manually decompile function call graph

 

Ida Plugin

  1. Follow the IDA Pro documentation on how to add python plugins.
  2. IDA Pro -> File/Produce file -> IdaDecompileBatch ...

run

ida console: decompiling dbghelp.dll

[__main__/36908][DEBUG     ] [idabatchdecompile.PLUGIN_ENTRY  ] [+] initializing IdaDecompileBatchPlugin

[__main__/36908][DEBUG     ] [idabatchdecompile.__init__      ] [+] is_windows: True

[__main__/36908][DEBUG     ] [idabatchdecompile.__init__      ] [+] is_ida64: False

[__main__/36908][DEBUG     ] [idabatchdecompile.wait_for_analysis_to_finish] [+] waiting for analysis to finish...

[__main__/36908][DEBUG     ] [idabatchdecompile.wait_for_analysis_to_finish] [+] analysis finished.

[__main__/36908][DEBUG     ] [idabatchdecompile.load_plugin_decompiler] [+] trying to load decompiler plugins

[__main__/36908][DEBUG     ] [idabatchdecompile.load_plugin_decompiler] [+] decompiler plugins loaded.

[__main__/36908][DEBUG     ] [idabatchdecompile.PLUGIN_ENTRY  ] [+] Mode: commandline w/o args

[__main__/36908][DEBUG     ] [idabatchdecompile.set_ctrl      ] [+] IdaDecompileBatchPlugin.set_ctrl(<__main__.IdaDecompileBatchController object at 0x056FCF90>)

[__main__/36908][DEBUG     ] [idabatchdecompile.init          ] [+] IdaDecompileBatchPlugin.init()

[__main__/36908][DEBUG     ] [idabatchdecompile.init          ] [+] setting up menus

[__main__/36908][INFO      ] [idabatchdecompile.PLUGIN_ENTRY  ] [i] IdaDecompileBatch loaded, see Menu: ('File/Produce file/', 'IdaDecompileBatch ...')

...

 The application has been completely decompiled.

[__main__/36908][DEBUG     ] [idabatchdecompile.decompile_all ] [+] finished decompiling 'dbghelp.dll' as 'dbghelp.c'

 

Source: https://github.com/tintinweb/ida-batch_decompile

Tags: IDAIDA Batch Decompile